Practical continuous-variable quantum key distribution with composable security

A quantum key distribution (QKD) system must fulfill the requirement of universal composability to ensure that any cryptographic application (using the QKD system) is also secure. Furthermore, the theoretical proof responsible for security analysis and key generation should cater to the number N of the distributed quantum states being finite in practice. Continuous-variable (CV) QKD based on coherent states, despite being a suitable candidate for integration in the telecom infrastructure, has so far been unable to demonstrate composability as existing proofs require a rather large N for successful key generation. Here we report a Gaussian-modulated coherent state CVQKD system that is able to overcome these challenges and can generate composable keys secure against collective attacks with N ≈ 2 × 108 coherent states. With this advance, possible due to improvements to the security proof and a fast, yet low-noise and highly stable system operation, CVQKD implementations take a significant step towards their discrete-variable counterparts in practicality, performance, and security.

A quantum key distribution (QKD) system must fulfill the requirement of universal composability to ensure that any cryptographic application (using the QKD system) is also secure. Furthermore, the theoretical proof responsible for security analysis and key generation should cater to the number N of the distributed quantum states being finite in practice. Continuous-variable (CV) QKD based on coherent states, despite being a suitable candidate for integration in the telecom infrastructure, has so far been unable to demonstrate composability as existing proofs require a rather large N for successful key generation. Here we report a Gaussian-modulated coherent state CVQKD system that is able to overcome these challenges and can generate composable keys secure against collective attacks with N ≈ 2 × 10 8 coherent states. With this advance, possible due to improvements to the security proof and a fast, yet low-noise and highly stable system operation, CVQKD implementations take a significant step towards their discrete-variable counterparts in practicality, performance, and security.
Quantum key distribution (QKD) is the only known cryptographic solution for distributing secret keys to users across a public communication channel while being able to detect the presence of an eavesdropper 1,2 . In an ideal case, legitimate QKD users (Alice and Bob) encrypt their messages with the secret keys and exchange them with the assurance that the eavesdropper (Eve) cannot break the confidentiality of the encrypted messages.
In one of the most well-known flavors of QKD, the quantum information is coded in continuous variables [2][3][4][5] , such as the amplitude and phase quadratures of the optical field, described by an annihilation operatorâ. Alice encodes random bits, e.g., by modulating the optical signal field to obtain a coherent state that follows the relationâ sig |αi = α sig |αi, with the real [imaginary] part of the complex value α sig equal to the amplitude [phase] quadrature.
Bob decodes this information using coherent detection, facilitated by a so-called local oscillator (LO), that yields a quantity / β LOb y sig + β * LObsig for an incoming field operatorb sig and with |β LO | 2 as the LO intensity. Figure 1 shows these steps of quantum state preparation, transmission (on a quantum channel) and measurement, which Alice and Bob perform in the beginning of the continuous-variable (CV)QKD protocol. The quantum stage is followed by classical data processing steps and a security analysis, performed in accordance with a mathematical "security" proof, to obtain a key of a certain length. For this purpose, Alice and Bob use an authenticated channel on which Eve cannot modify the communicated messages but can learn their content. Once the classical stage concludes, Alice and Bob use their secret keys to encrypt their messages, and the resulting ciphertexts are exchanged using a communication channel, e.g., a telephone line, and decrypted.
Amongst the many physical considerations included in the security proof, Eve's actions on the channels (particularly her interaction with the transmitted quantum states) are classified in the form of individual, collective, or general attacks, in increasing order of power and generality 1,2 . For instance, a security proof catering to a collective attack permits Eve to store the result of her interactions with the quantum states in a quantum memory, and later perform a collective measurement. Also, the fact that Alice and Bob cannot avail an infinite number of quantum states in practice adversely affects the key length but such finite-size corrections are essential for the security assurance. Another related property of a secret key is composability 6 , which allows specifying the security requirements for combining different cryptographic applications in a unified and systematic way. In the context of practical QKD, composability is of utmost importance because the secret keys obtained from a protocol are used in other applications, e.g. data encryption 7 . A secret key not proven to be composable is thus practically useless.
Composable security in CVQKD was first proven 8 and experimentally demonstrated 9 using two-mode squeezed states, but the achievable communication distance was rather limited since the employed entropic uncertainty relation is not tight. Composable proofs for CVQKD systems using coherent states and dual quadrature detection, first proposed in 2015 10 , have been progressively improved [11][12][13][14][15] . Some of these proofs even provide security against general attacks, but all promise keys at distances much longer than in ref. 8 apart from the advantage of dealing with coherent states, which are much easier to generate than squeezed states.
Nonetheless, the strongest proof 16 that actual coherent-state CVQKD implementations, e.g., refs. 17-21, have used so far unfortunately does not include composable definitions. An experimental demonstration of composability in CVQKD has thus remained elusive, and this is due to a combination of the strict security bounds (because of a complex parameter estimation routine), the large number of required quantum state transmissions (to keep the finite-size terms sufficiently low), and the stringent requirements on the tolerable excess noise.
In this article, we demonstrate a CVQKD setup of low complexity that is capable of generating composable keys secure against collective attacks. We achieve this by deriving a method for establishing confidence intervals compatible with collective attacks, which allows us to work on smaller (and thus more practical) block sizes than originally required 10 . Alice produces coherent states by encoding Gaussian information in frequency (side-)bands shifted away from the optical carrier 22 by means of a single electro-optical in-phase and quadrature (IQ) modulator. Bob decodes this information using real LO-assisted radio frequency (RF) heterodyning, implemented with a single balanced detector, followed by digital signal processing (DSP) 23 . By performing a careful analysis to either eradicate or avoid various spurious noise components, and by implementing a machine learning framework for phase compensation 24 , we are able to keep the excess noise below the null key length threshold. After taking finite-size effects as well as confidence intervals from various system calibrations into account, we achieve a positive composable key length with merely N ≈ 2 × 10 8 coherent states (also referred to as 'quantum symbols' from hereon) transmitted over a 20 km long fiber-optic channel. With N = 10 9 , we obtain > 41 Mbits worth of key material that is composably secure against collective attacks, assuming worst-case confidence intervals.

Composably secure key
A DSP routine at the end of the quantum stage yields the digital quantum symbols discretized with d bits per quadrature. This stream is divided into M frames for information reconciliation (IR), after which we perform parameter estimation (PE) and privacy amplification (PA); as visualized in Fig. 1. We derive the secret key bound for reverse reconciliation, i.e., Alice correcting her data according to Bob's quantum symbols Y . The (composable) secret key length s n for n coherent state transmissions is calculated using tools from refs. 10,15 as well as results presented in the following. The key length is bounded per the leftover hash lemma in terms of the smooth min-entropy H ϵ s min of Y conditioned on the quantum state of the eavesdropper E with ϵ s as the smoothing parameter 25 . From this we subtract the information reconciliation leakage leak IR (n, ϵ IR ) and obtain, The security parameter ϵ h characterizes the hashing function and ϵ IR describes the failure probability of the correctness test after IR. The probability p 0 that IR succeeds in a frame is related to the frame error rate (FER) by p 0 = 1ÀFER. All frames in which IR failed are discarded from the raw key stream, and this step thereby projects the original tensor product state ρ n ≡ ρ ⊗n into a non i.i.d. state τ n . To take this into account, one replaces the smooth min-entropy term in Eq. (1) with the expression 15 : where n 0 = np 0 is the number of quantum symbols remaining after error correction.
The asymptotic equipartition property (AEP) bounds the conditional min-entropy in the following way, where is an improved penalty (proof provided in the "Methods" section) in comparison to ref. 10,15 and the conditional von-Neumann entropy Hð Y |EÞ ρ from Eq. (3) is given by We estimate the Shannon entropy Hð Y Þ directly from the data (up to a probability ≤ ϵ ent , further details in the "Methods" section). The second term is Eve's Holevo bound with respect to Y that satisfies, where Y is the continuous version of Y and IðY ; EÞ ρ G is the Holevo information obtained by using the extremality property of Gaussian attacks.
The Holevo information is estimated by evaluating the covariance matrix using worst-case estimates for its entries based on confidence intervals. We improved the confidence intervals of ref. 10 by exploiting the properties of the Beta distribution. Letx,ŷ,ẑ be the estimators for the variance of the transmitted ensemble of coherent states, the received variance and the co-variance, respectively. The true values y and z are bound by with ϵ PE denoting the failure probability of parameter estimation, and being the confidence intervals (derived in Supplementary Note 1). In the above equations, where "invcdf" is the inverse cumulative distribution function. As detailed in section "Discussion", the (length of the) secret key we eventually obtain in our experiment requires an order of magnitude lower N due to these confidence intervals.
Finally, we remark here on a technical limitation arising due to the digitization of Alice's and Bob's data. In practice, it is impossible to implement a true Gaussian protocol because the Gaussian distribution is both unbounded and continuous, while realistic devices have a finite range and bit resolution 14,26 . In our work, we consider a range of 7 standard deviations and use d = 6 bits, leading to a constellation with 2 2d = 4096 coherent states. Per recent results 27,28 , this should suffice to minimise the impact of digitization on the security of the protocol. For keeping the analysis simple, we however assume perfect Gaussian modulation. Figure 2 shows the schematic of our setup, consisting of a transmitter and a receiver connected together by a 20 km long standard single mode fiber spool, which formed the quantum channel. We performed optical single sideband modulation with carrier suppression (OSSB-CS) using an optical source (Tx laser) from NKT Photonics, and an IQ modulator plus automatic bias controller (IQmod+ABC) from ixBlue. An arbitrary waveform generator (AWG) was connected to the RF ports to modulate the sidebands. The coherent states were produced in a B = 100 MHz wide frequency sideband, shifted away from the optical carrier 22,29 . Random numbers drawn from a Gaussian distribution obtained by transforming the uniform distribution of a vacuumfluctuation based quantum random number generator (QRNG) with a security parameter ϵ qrng = 2 × 10 −6 formed the complex amplitudes of these coherent states 30 . To this broadband 'quantum data' signal, centered at f u = 200 MHz, we multiplexed in frequency a 'pilot tone' at f p = 25 MHz for sharing a phase reference with the receiver 23,31-33 . The left inset of Fig. 2 shows the complex spectra of the RF modulation signal.

Experimental implementation
After propagating through the quantum channel, the signal field's polarization was manually tuned to match the polarization of the real local oscillator (RLO) for heterodyning [31][32][33] . The Rx laser that supplied the RLO was free-running with respect to the Tx laser and detuned in frequency by~320 MHz, giving rise to a beat signal, as labeled in the solid-red spectral trace in the right inset of Fig. 2. The quantum data band and pilot tone generated by the AWG are also labeled. Due to finite OSSB 29 , a suppressed pilot tone is also visible; the corresponding suppressed quantum band was however outside the receiver bandwidth (we used a low pass filter with a cutoff frequency around 360 MHz at the output of the homemade heterodyne detector 30 ). As shown, the Tx and Rx had their clocks synchronized, and the Tx provided a trigger for data acquisition in Rx 34,35 .
Separately, we also measured the vacuum noise (Tx laser off, Rx laser on) and the electronic noise of the detector (both Tx and Rx lasers off), depicted by the dotted-blue and dashed-green traces, respectively, in the right inset of Fig. 2. The clearance of the vacuum noise over the electronic noise is > 15 dB over the entire quantum data band.

Noise analysis & calibration
A careful choice of the parameters defining the pilot tone and the quantum data band and their locations with respect to the beat signal is crucial in minimizing the excess noise. A strong pilot tone enables more accurate phase reference but at the expense of higher leakage in the quantum band and an increased number of spurious tones. The latter may arise as a result of frequency mixing of the (desired) pilot tone with e.g., the beat signal or the suppressed pilot tone. As can be observed in the right inset of Fig. 2, we avoided spurious noise peaks resulting from sum-or difference-frequency generation of the various discrete components (in the solid-red trace) from landing inside the wide quantum data band.
In CVQKD, it is well known that Alice needs to optimize the modulation strength of the coherent state alphabet at the input of the quantum channel to maximize the secret key length. For this, we connected the Tx and Rx directly, i.e., without the quantum channel, and performed heterodyne measurements to calibrate the mean photon number μ of the coherent states' ensemble. The AWG electronic gain and the variable attenuator (VATT) provided a fine-grained knob to control the modulation strength.
Since we conducted our experiment in the non-paranoid scenario 1,26 , i.e., we trusted some parts of the overall loss and excess noise by assuming them to be beyond Eve's control, some extra measurements and calibrations for the estimation of trusted parameters become necessary. More specifically, we decomposed the total transmittance and excess noise into respective trusted and untrusted components. In Supplementary Note 4, we present the details of the calibration of the receiver efficiency (trusted transmittance) τ = 0.69 and trusted noise from the detector ξ t = 25.71 × 10 −3 photon number unit (PNU). Let us remark here that in our work, we express the noise and other variance-like quantities, e.g., the modulation strength, in PNU as opposed to the traditional shot noise unit (SNU). The former is independent of quadratures and facilitates a comparison with discretevariable (DV) QKD systems 36 , highlighted using μ in Table 1. A simple factor of 2 relates these units: 1 photon number unit (PNU) corresponds to a variance of 2 shot noise units (SNU). Finally, note that we recorded a total of 10 10 ADC samples for each of the calibration measurements, and all the acquired data was stored on a hard drive for offline processing.

Protocol operation
After setting μ = 1.45 PNU, we connected the Tx and Rx using the 20 km channel, optimized the signal polarization, and then collected heterodyne data using the same Gaussian distributed random numbers as mentioned above. Offline DSP 24 provided the symbols that formed the raw key. The preparation and measurement was performed with a total of 10 9 complex symbols. After discarding some symbols due to a synchronization delay, Alice and Bob had a total of N IR = 9.88 × 10 8 correlated symbols at the beginning of the classical phase of the protocol, the implementation of which we describe below. Note that we assumed the existence of an authenticated channel for these steps.
1. IR was based on a multi-dimensional scheme 37 using multi-edgetype low-density-parity-check error correcting codes 38 . As shown in Fig. 1, Bob sent the mapping and the syndromes, together with the hashes computed using a randomly chosen Toeplitz function, to Alice, who performed correctness confirmation and communicated it to Bob. We obtained a reconciliation efficiency β = 94.3% and FER = 12.1% for the experimental data. In Supplementary Note 5, we provide further details about the operating regime and the performance of these codes. Due to the non-zero FER, Alice and Bob had N PA = 8.69 × 10 8 complex symbols for distilling the secret key via PA. 2. During PE, Alice estimated the entropy of the corrected symbols, and together with the symbols from the erroneous frames, i.e., frames that could not be reconciled successfully (and were publicly announced by Bob), Alice evaluated the covariance matrix. This was followed by evaluating the channel parameters using the receiver calibration data, performing the 'parameter estimation test' (refer Theorem 2 in ref. 10), and getting a bound on Eve's Holevo information. Subtracting ξ t from the total excess noise of 30.9 mPNU yielded the mean untrusted noise ξ u = 30.9 − 25.7 = 5.2 mPNU, while dividing the total transmittance of 0.25 by τ gives us the mean untrusted transmittance η = 0.25/0.69 = 0.36. 3. Alice calculated a secret key length l = 41378264 bits in the worstcase scenario by substituting in Eq. (1) the security parameters ϵ h = ϵ ent = ϵ cal = ϵ s = ϵ PE = 10 −10 and ϵ IR = 10 −12 , and n = 2N PA (factor of 2 owing to data from both I and Q quadratures). As shown in Fig. 1, this length was communicated together with a seed to Bob to

Discussion
Using the equations presented in section "Composably secure key", we can calculate the composably secure key length for a certain number n of the quantum symbols. We partitioned N = 10 9 in 25 blocks, estimated the key length considering the total number N k of symbols accumulated from the first k blocks, for k ∈ {1, 2, …, 25}. Dividing this length by N k yields the composable secret key fraction (SKF) in bits/symbols. If we neglect the time taken by data acquisition, DSP, and the classical steps of the protocol, i.e., only consider the time taken to modulate N = N k coherent states at the transmitter (at a rate B = 100 MSymbols/ s), we can construct a hypothetical time axis to show the evolution of the CVQKD system. Figure 3a depicts such a time evolution of the SKF after proper consideration to the finite-size corrections due to the average and worst-case (black and red data points, respectively) values of the underlying parameters. Similarly, Fig. 3b shows the experimentally measured untrusted noise ξ u (lower squares) together with the worst-case estimator (upper dashes) calculated using N k in the security analysis. To obtain a positive key length, the worst-case estimator must be below the maximum tolerable noise-null key fraction threshold-shown by the dashed line, and this occurs at N/B ≈ 2.0 s.
Note that in reality, the DSP and classical data processing consume a significantly long time: In fact, we store the data from the state preparation and measurement stages on disks and perform these steps offline. The plots in Fig. 3 therefore may be understood to be depicting the time evolution of the SKF and the untrusted noise if the entire protocol operation was in real time.
Referring to Fig. 3a, the solid-red and dashed-black traces simulate the SKF in the worst-case and average scenarios, respectively, while the dotted-orange trace shows the asymptotic SKF value (with FER taken into account) obtainable with the given channel parameters. Per projections based on the simulation, the worst-case composable SKF should be within 5% of the asymptotic value for N ≈ 10 11 complex symbols.
From a theoretical perspective, the reason for being able to generate a positive composable key length with a relatively small number of coherent states (N ≈ 2 × 10 8 ) can mainly be attributed to the improvement in confidence intervals during PE; refer Eqs. (6) and (7). Figure 3c and d quantitatively compare the scaling factor in the RHS of these equations, respectively, as a function of N for three different distributions. The estimatorsx,ŷ,ẑ for this purpose are the actual values obtained in our experiment and we used an ϵ PE = 10 −10 . The difference between the confidence intervals used in ref. 10 (suitably modified here for a fair comparison) with those derived here, based on the Beta distribution, is quite evident at lower values of N, as visualized by comparing the dashed-blue trace with the solid-red one.
Since the untrusted noise has a quadratic dependence on the covariance in contrast to variance where the dependence is linear, a method that tightens the confidence intervals for the covariance can be expected to have a large impact on the final composable SKF. In fact, if we had used the confidence intervals of Ref. 10, our implementation would not have produced any composable key until N = 10 9 , at which the worst-case SKF would have been 6.04 × 10 −4 , i.e., almost two orders of magnitude lower than what we have achieved here (single blue data point in bottom-right corner of Fig. 3a).
On the practical front, a reasonably large transmission rate B = 100 MSymbols/s of the coherent states together with the careful analysis and reduction of untrusted noise (refer section "Noise analysis & calibration" for more details) enables an overall fast, yet low-noise and highly stable system operation, critical in quickly distributing raw correlations of high quality and keeping the finite-size corrections minimal. Table 1 provides a comparison of results from our proof-ofconcept experiment with three other Gaussian-modulated CVQKD experiments 20,21,33 that provide security against collective attacks but do not include composable security definitions. Table 1 also lists two 40,41 of (multiple) DVQKD experiments that have been able to prove composable security against general attacks in a realistic finite size regime-the holy grail for any QKD system. In the "Methods" section, we discuss the challenges for our CVQKD implementation in achieving this security criterion.
In conclusion, our results have demonstrated composability and protection against collective attacks while ensuring robustness against finite-size effects in a coherent-state CVQKD protocol, operating in laboratory conditions, over a 20 km long quantum channel. With an order of magnitude larger N and half the current value of ξ u , we expect to obtain a non-zero length of the composable key while tolerating channel losses around 8 dB, i.e., distances up to~40 km (assuming an Values with a superscript * may be somewhat inaccurate as they were inferred from a graph. μ, mean photon number of the quantum state alphabet; ξ u , untrusted noise (referred to channel output); ξQ, quantum bit error rate; B, repetition rate in pulsed or quantum data bandwidth in CW implementations; N, number of transmitted quantum data symbols or pulses in the experiment; secret key fraction (SKF), secret key length in bits divided by N. It is possible to parametrize ξu and ξQ by the same quantity, namely the mean number of noise photons from the channel, in CV and DV systems, respectively 36 . Also, assuming symmetry between the quadratures, 1 photon number unit (PNU) corresponds to a variance of 2 shot noise units (SNU). R/TLO: real/transmitted LO.
attenuation factor of 0.2 dB/km). This should be achievable with some improvements in the hardware as well as the digital signal processing. We therefore expect that in the future, users across a point-to-point link could use the composable keys from our implementation to enable real applications such as secure data encryption, thus ushering in a new era for CVQKD.

Penalty from the asymptotic equipartition property
In ref. 25, the asymptotic equipartition property bound is proven in Corollary 6.5: 'ðδÞ : = À log 2 1 À In the following, we use the fact that H min ðX |EÞ is non-negative for our classical-quantum state, a proof of which is given in Supplementary Note 2.
H max ðX |EÞ ≤ log 2 2 2d ) where d denotes the number of bits per quadrature used during discretization.
Using the above relations in Eq. (10) Putting all together we finally obtain Δ AEP ðδ, dÞ ≤ 4ðd + 1Þ ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi log 2 2 Penalty from entropy estimation The entropy Hð Y Þ in Eq. (5) can be estimated from the empirical frequency where n 0 ðy j Þ is the number of times a specific complex symbol y j = q j rx + ip j rx is obtained, and n 0 is the total number of exchanged and corrected quantum symbols. One can define an entropy estimator which is linked to Hð Y Þ by the following inequality 10,42 : This holds true up to a probability smaller than ϵ ent .

Composable security against general attacks
For CVQKD with coherent states, the only known proofs providing composable security against general attacks 11,15 requires dual quadrature detection. This rules out the experiment in ref. 21, as despite recording the largest N = 10 11 symbols and the lowest ξ u value amongst all CVQKD works in Table 1, it used homodyning. On the upside, the proofs permit the assumption that the underlying quadrature data follows a Gaussian distribution, which somewhat relaxes the requirements on N. For instance, in the case of confidence intervals, one can observe the dotted-green traces in Fig. 3c and d show the best performance. Nevertheless, to achieve composable security against general attacks, one needs ϵ (gen)~O (N 4 )ϵ (coll) as the final security parameter. A reasonable ϵ (gen) of 10 −9 assuming N~10 8 then requires ϵ (coll) < 10 −41 but this is not the case with our current setup as ϵ (coll) ≳ ϵ qrng = 2 × 10 −6 actually. This limitation, due to the ADC digitization error in the QRNG, could be improved using longer measurement periods 30 . Yet another issue is the symmetrization requirement, a procedure in which Alice and Bob need to multiply their respective symbol trains by an identical random orthogonal matrix of size N × N, which poses a major computational challenge.

Reporting summary
Further information on research design is available in the Nature Research Reporting Summary linked to this article.

Data availability
The data used in making some of the plots in Fig. 3 of the article have been deposited in the DTU database (https://doi.org/10.11583/DTU. 20198891.v1). All other data are available from the corresponding authors upon reasonable request.